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The  aim  of  this  paper  is  to  define  a  logical  language  to  express  information  sharing  policies  for 
coalitions,  which  have  to  cope  with  dynamical  environments.  We  propose  to  use  a  first-order  logic 
base  language  to  express  policies  via  concepts  like  time,  action,  context,  roles  in  organizations  and 
deontic  notions.  We  define  then  consistency  for  a  sharing  policy  and  propose  two  definitions  for 
policy  completeness. 

1  Introduction 

In  a  coalition,  command  and  control  units  of  different  countries  need  to  share  information  coming 
from  lots  of  sources  (such  as  intelligence  sources  or  other  ones) ,  in  order  to  get  for  instance  a  common 
representation  of  the  crisis  situation,  and  then  take  relevant  decisions  to  achieve  their  mission.  They 
also  have  to  cope  with  amounts  of  pieces  of  partial  information,  with  short  information  processing 
time  limits.  Moreover,  such  information  sharing  takes  place  in  a  high  risk  environment  [14]: 

—  countries  involved  in  a  coalition  are  not  necessary  allies, 

—  trust  relation  between  them  may  change  over  the  time, 

—  trust  relations  may  be  not  symmetric  between  countries, 

—  people  may  change  their  role  in  the  organization  of  the  coalition,  and  so  change  their  “need  to 
know” . 

In  such  conditions,  there  is  quite  a  big  threat  of  violating  information  security  properties,  such  as 
confidentiality  (no  unauthorized  divulging  of  secrete  information)  or  availability  (information  must 
be  available  according  to  users’  rights).  This  may  have  disastrous  consequences  for  each  country’s 
national  security. 

So,  in  order  for  users  to  trust  an  information  exchange  system  such  as  a  COP  (Common  Opera¬ 
tional  Picture)  [1],  it  is  necessary  to  control  and  regulate  information  broadcast  within  the  system. 

Given  a  distributed  information  exchange  system  to  be  designed,  one  issue  is  to  provide  its 
designers  with  a  sharing  policy  to  protect  information  and,  through  information,  every  country 
involved  in  the  coalition.  A  sharing  policy  can  be  seen  as  a  regulation  which  specifies  authorized, 
permitted  or  prohibited  diffusion  of  information  within  the  system. 

For  example,  in  such  a  sharing  policy,  one  could  express  rules  such  as: 

—  in  a  context  of  occurrence  of  any  event  related  to  terrorism  in  Sweetland,  information  about  this 
event  must  be  sent  to  the  commander  of  the  joint  task  force  (CJTF)  of  the  coalition  K  before 
one  hour.  In  this  rule  the  context  is  defined  by  a  kind  of  event,  and  information  must  be  sent  to 
someone  who  plays  the  role  of  CJTF  in  the  organization  of  K. 
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—  in  a  context  of  crisis,  any  piece  of  information  connected  to  the  topic  “aircraft'’  must,  as  soon  as 
learned  by  an  agent  a,  be  sent  to  an  agent  b  within  less  than  3  seconds.  It  is  worthwhile  sending 
the  piece  of  information  in  such  a  short  time,  because  it  will  become  quickly  irrelevant,  due  to 
the  speed  of  aircraft. 

—  in  every  context,  everybody  is  forbidden  to  send  pieces  of  information  with  a  security  level  of  n 
to  anybody  whose  habilitation  level  is  less  than  n.  Such  a  rule  may  be  used  in  a  coalition  where 
each  piece  of  information  and  each  agent  are  assigned  respectively  a  security  and  an  habilitation 
level. 

A  sharing  policy  can  be  useful  for  several  issues:  specify  an  information  exchange  system,  increase 
the  trust  of  its  users  (denoted  agents  in  the  remainder  of  this  paper)  and  the  system  reliability,  thus 
making  it  really  useful.  For  this  reason,  it  is  important  to  get  a  “good”  sharing  policy:  the  quality 
of  a  sharing  policy  depends  on  some  properties  such  as  its  consistency  or  its  completeness. 

As  the  subject  of  this  paper  is  connected  with  system  information  security,  we  take  our  inspiration 
from  a  well  known  approach  in  this  field,  consisting  in  defining  security  policies  in  order  to  preserve 
security  properties  of  information  (mainly,  confidentiality,  availability,  and  integrity).  What  can  we 
learn  from  it?  On  the  one  hand,  since  actors  of  a  coalition  are  often  military  forces,  we  could  think 
about  using  mandatory  models  [2,3],  where  users’  rights  are  defined  by  their  organization.  With 
this  approach,  rights  cannot  easily  be  changed  over  time  and  cannot  be  delegated  to  other  users. 
On  the  other  hand,  discretionary  access  control  models  [11]  allow  each  subject  (or  active  entities)  to 
give  its  access  rights  on  an  object  (or  information  container)  to  other  subjects.  Unfortunately,  they 
may  lead  to  information  leak  and  so  violate  confidentiality.  Both  kinds  of  models  only  explicitly 
regulate  permission  access  to  pieces  of  information,  obligation  access  being  implicitly  managed 
through  the  information  system  specifications.  However  the  previous  examples  of  rules  show  that 
we  need  obligation  rules  for  information  diffusion,  at  least  for  information  relevance  and  availability 
reasons.  Moreover,  the  rules  defining  obligation  about  sharing  must  be  explicit,  in  order  to  be  able 
to  verify  some  properties  on  the  whole  set  of  sharing  rules. 

The  aim  of  this  paper  is  first  to  define  a  formalism  to  help  one  to  express  a  sharing  policy  (section 
2).  This  formalism  will  be  based  upon  deontic  concepts  and  first  order  logic.  We  define  then  within 
this  framework  the  properties  of  consistency  and  completeness  for  a  sharing  policy  in  sections  3 
and  4.  We  will  then  sketch  further  issues  for  this  preliminary  work. 

2  A  formalism  for  expressing  information  sharing  policies 

In  this  section,  we  will  present  the  concepts  used  in  our  formalism,  a  logical  framework  to  represent 
and  to  reason  about  them  and  a  method  for  expressing  policies. 

2.1  Useful  concepts 

In  order  to  express  a  sharing  policy,  we  need  the  following  primitive  concepts:  time,  actions,  prop¬ 
erties,  deontic  modalities  and  contexts.  We  will  present  them  in  the  following. 

Time  is  an  important  concept,  because  the  deontic  notions  associated  with  information  sharing 
will  change  over  time.  We  need  to  distinguish  three  temporal  dimensions: 

—  the  time  at  which  an  information  is  valid, 
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—  the  time  at  which  an  agent  gets  an  information, 

—  the  time  at  which  an  agent  sends  an  information. 

Those  three  notions  are  necessary.  For  instance,  we  may  express  that  an  agent  is  obliged  to  send 
an  information  as  soon  as  he  gets  it  and  to  send  it  before  a  certain  amount  of  time.  In  this  case,  we 
have  to  know  the  time  at  which  the  agent  sends  the  information  in  order  to  verify  that  he  has  not 
violated  the  previous  obligation. 

We  will  consider  only  two  actions  in  our  framework: 

—  learn(x,  i,  t)  which  means  that  agent  x  learns  information  i  at  time  t, 

—  send(x,  i,  y,  t)  which  means  that  agent  x  sends  information  i  to  an  agent  y  at  time  t. 

Properties  represent  general  assertions  about  the  current  state  of  the  world.  We  can  distinguish 
the  time-dependent  properties  form  the  others.  For  instance: 

—  Ally(x,  y,  t):  the  country  of  the  agent  y  is  an  ally  of  the  country  of  the  agent  x  at  time  t, 

—  Level(x,  l,  t):  the  habilitation  level  (respectively  the  security  level)  of  an  agent  (respectively  an 
information)  x  is  l  at  time  t.  In  information  security,  the  definition  of  Level  values  for  military 
context  is  often  based  upon  a  lattice.  For  instance,  we  can  distinguish  “Classified”  and  “Top- 
secret”  information  and  express  with  the  lattice  that  classified  information  is  more  confidential 
than  top-secret  information. 

—  Topic (i,  to):  the  information  i  deals  with  topic  to. 

—  Playsrole(x,  r,  o,  t):  the  agent  x  plays  the  role  r  in  the  organization  o  at  time  t. 

—  Hsuperior(x,  y,  o,  t):  the  role  x  is  hierarchically  superior  to  the  role  y  in  the  organization  o  at 
time  t. 

As  we  want  to  express  norms,  i.e.  rules  which  specify  what  must,  may  or  must  not  be  done,  we 
need  deontic  modalities,  particularly  about  information  sharing.  Therefore,  we  introduce  classical 
deontic  concepts  of  obligation,  prohibition  and  permission  for  information  sending: 

—  Obligatory (send(x,  i,  y,  t))  means  that  agent  x  is  obliged  to  send  the  information  i  at  time  t  to 
agent  y, 

—  Prohibited(send(x,  i,  y,  t))  means  that  agent  x  is  prohibited  to  send  the  information  i  at  time  t 
to  agent  y, 

—  Permitted(send(x,  i,  y,  t))  means  that  agent  x  is  permitted  to  send  the  information  i  at  time  t 
to  agent  y. 

Moreover,  we  need  consistency  axioms  between  these  deontic  predicates,  which  are  expressed 
through  the  following  constraints1: 

—  -i(Permitted(x)  A  Forbidden(x)) 

—  Obligatory(x)  — >  Permitted(x) 

—  -i(Obligatory(x)  A  Forbidden(x )) 

1  Notice  that  the  third  one  can  be  deduced  from  the  first  two. 
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Classically,  those  constraints  express  the  fact  something  obligatory  or  permitted  cannot  be  for¬ 
bidden,  and  that  something  obligatory  is  permitted. 

Finally,  notion  of  context  is  important  here.  Coalitions  work  in  dynamical  environments:  crisis, 
quiet  situations,  occurrences  of  events  etc.  For  instance: 

—  Occurrence(e,  k,  t)  means  that  an  event  e  of  kind  k  occurs  at  time  t. 

—  Crisis  (t)  means  that  there  is  a  crisis  situation  at  time  t. 

Information  sharing  modalities  may  depend  upon  each  kind  of  environment,  and  we  will  call  this 
environment  context.  Contexts  will  be  mentioned  in  information  sharing  rules.  Therefore,  if  c  is  a 
context,  a  general  form  for  a  rule  r  is:  c  — >  r  meaning  that  rule  r  applies  in  context  c. 

2.2  A  logic-based  formalism 

In  this  section  we  propose  a  logical  framework  L  in  order  to  deal  with  the  concepts  defined  previously. 
This  framework  is  based  upon  a  typed  first  order  logic. 

We  suppose  that  atomic  pieces  of  shared  information  are  expressed  through  a  given  entity- 
relation  database  model.  That  kind  of  representation  is  currently  used  in  the  coalition  field,  see 
for  instance  the  IDEF1X  (Integration  Definition  for  Information  Modeling)  language  on  which  is 
based  the  JC3IEDM  (Joint  Control  Command  and  Consultation  Information  Exchange  Data  Model) 
formalism.  In  such  models,  entities  represent  a  kind  of  “type”  (like  aircraft)  and  entity  instance 
a  particular  object  of  this  type.  Objects  can  be  composite  objects:  for  instance  coordinates  are 
composed  of  two  numbers.  Relations  is  an  association  between  entities.  For  instance,  position  is  a 
relation  between  entity  aircraft  and  entity  coordinates. 

A  strong  hypothesis  in  this  work  is  that  we  will  only  deal  with  atomic  informations,  like  the 
position  of  the  object  O  is  (45,32).  This  seems  to  be  sufficient  for  our  application  needs. 

As  usual,  the  alphabet  of  L  will  be  based  on  three  distinct  groups  of  symbols:  constant  symbols, 
predicate  symbols  and  function  symbols. 

Let  us  precise  that  constant  names  will  be  denoted  by  upper  Latin  symbols  (object  O,  agent  A), 
whereas  variables  will  be  denoted  by  lower  Latin  symbols.  Moreover,  predicate  names  will  begin  by 
an  upper  symbol  and  function  names  by  lower  symbol. 

Finally,  as  we  want  to  type  our  language,  we  will  distinguish  different  groups  of  symbols  among 
those  three  categories. 

Definition  1.  We  distinguish  four  sets  of  constants: 

—  I-constants  which  represent  values  of  the  domain  of  the  attributes  of  the  information  data-base 
model. 

—  Ag-constants  which  represent  agents  who  share  information  in  the  system. 

—  T-constants  represent  time  points  (essentially  as  dates). 

—  other  constants  will  be  denoted  by  O-constants. 

In  the  previous  example,  object  O,  45  and  32  are  I-constants.  O-constants  are  used  to  represent 
information  topic  (localization  in  our  example),  or  security  levels  for  instance. 

Definition  2.  We  characterize  predicate  symbols  in  the  following  way: 
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—  Obligatory,  Permitted  and  Forbidden  are  unary  predicates  that  we  call  D-predicates  (for  deontic 
predicates) . 

—  Learn(.,.,.)  is  a  ternary  predicate  symbol. 

—  contexts  are  expressed  through  predicates  with  at  least  one  parameter  for  time.  We  will  note  them 
C-predicates  :  Crisis  (.),  Occurrence  (■)■■■ 

—  P-predicates  will  be  used  to  express  any  kind  of  property  on  informations,  agents,  etc. 

We  use  predicates  to  represent  deontic  notions  as  in  [9].  Notice  that  P-predicates  include  the  clas¬ 
sical  mathematical  operators  like  >  and  =.  Some  other  examples  of  P-predicates  are  :  Playsrole(-), 
Level(. Ally )  etc. 

Definition  3.  Functions  are  characterized  in  the  following  way: 

—  I-functions  represent  relations  of  the  information  data  base  model  with  corresponding  arity. 

—  not(.)  is  a  unary-function  used  to  represent  object  level  negation. 

—  send(. is  a  function  with  four  arguments  representing  the  action  of  sending  an  information. 

For  instance,  the  position  relation  in  the  database  is  represented  by  the  I-function  positionf.,.). 
We  can  now  define  formulas  for  L. 

Definition  4.  Formulas  of  L  are  defined  recursively  as  follows: 

—  If  f  is  a  I-function,  ift\ , . . .  ,tn  are  I-constants  or  variables,  then  f(t±, . . .  ,tn)  and  not{f{t\, . . . ,  tn)) 
are  I-terms. 

—  If  ti, . . .  ,tn  are  constants  or  variables,  if  C  is  a  C-predicate,  then  C(t\  tn  is  a  C-literal  and  is 
a  formula  of  L. 

—  Let  x  be  an  Ag-constant,  i  be  an  I-term  or  a  variable,  t  be  a  T-constant  or  a  variable.  Then 
Learn(x,i,t )  is  a  L-literal  and  a  formula  of  L. 

—  Let  x  and  y  be  Ag-constants  or  variables,  i  be  an  I-term  or  a  variable,  t  be  a  T-constant  or  a  vari¬ 
able.  Then  Obligatory(send(x,i,y,t)),  Permitted(send(x,i,y,t ))  and  Forbidden(send(x,i,y,t)) 
are  D-literals.  They  are  formulas  for  L. 

—  If  t\, . . .  ,tn  are  constants  or  variables,  if  P  is  a  P-predicate,  then  P(t±, . . .  ,tn)  is  a  P -literal, 
and  a  formula  of  L. 

—  Let  F\  and  F2  be  formulas  of  L  and  x  be  a  variable.  Then  ~>F\,  F\  A  F2,  F\  V  F2,  Vx  F\  and 
3x  F\  are  formulas  of  L,  as  it  is  usually  defined. 

2.3  Definition  of  an  information  sharing  policy 

In  this  section,  we  define  rules  for  an  information  sharing  policy,  within  the  above  logical  language. 

An  information  sharing  policy  is  a  set  of  formulas  of  L  which  are  Horn  clauses2  l\  V  I2  V  . . .  V  ln 
such  that: 

—  ln  is  the  only  positive  literal  and  is  a  D-literal, 

—  Vi  £  {1, . . . ,  n  —  1},  li  is  a  negative  C-literal,  L-literal,  P-literal  or  D-literal, 

2  An  Horn  clause  is  a  clause  in  which  only  a  literal  is  positive. 
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—  if  x  is  a  variable  in  ln,  then  3i  £  {1 , ,n  —  1}  such  that  U  is  a  negative  literal  and  contains 
the  variable  x.  This  last  condition  comes  from  the  definition  of  restrictive  field  in  the  data  bases 
domain:  it  aims  to  characterize  significative  formulas. 

Rules  of  sharing  policy  can  be  be  expressed  by  such  formulas. 

Example  1.  The  rule  “in  a  context  of  crisis  and  occurrence  of  any  event  related  to  terrorism  in 
Sweetland,  information  about  this  event  must  be  sent  to  the  commander  of  the  joint  task  force 
(CJTF)  of  the  coalition  K  before  one  hour  later ”  is  expressed  with  the  following  formula: 


(RO)  Mi  Vi  Mt'  Mx  My  Me  Crisis  (t)  A  Playsrole(x,  CJTF ,  K ,  t) 

A  occurrence(e,  Terrorist,  t)  A  Learn(y,position(e,  Sweetland),  t')  — > 

Obligatory (send(y ,  position(e,  Sweetland),  x,  t!  +  1)) 

Example  2.  Suppose  our  policy  deals  with  confidentiality  for  informations  with  a  multi  level  model; 
suppose  that  in  that  model,  each  piece  of  information  and  each  agent  are  assigned  respectively  a 
security  and  an  habilitation  level. 

The  rule  “in  every  context,  everybody  is  forbidden  to  send  pieces  of  information  with  a  security 
level  of  n  to  anybody  whose  habilitation  level  is  less  than  n”  is  expressed  with  the  following  formula: 


(.Rl)  Mx  Mi  My  Mn  Mn  Vfo  Vti  Vi2  Vf3  Learn(x,  i,  to)  A  Learn(x,  level(i,  n),  ii)  A 
Learn(y,  level(y,n),t2)  A  ( n  <  n)  A  (£3  >  max(to,  ii,  t2))  — ► 

Forbidden(send(x,  i,  y,  1 3)) 

Notice  that  there  is  no  context  predicate  in  this  formula,  so  the  rule  is  applicable  in  every  context. 
Consider  now  a  sharing  policy  saying  that  in  a  context  of  crisis,  any  information  about  the  topic 
“air-ground  missile  (AGM)”  must,  as  soon  as  learned  by  agent  A,  be  sent  to  agent  B. 

This  rule  may  be  expressed  with  the  following  formula: 


(R2)  Mi  Mt  Mt '  Crisis  (t)  A  Learn(A,  i,  t)  A  Learn(x,  topic(i,  AGM),t')  — > 

Obligatory  (send  (A,  i,  B,  max(t,  t'))) 

3  Consistency  of  an  information  sharing  policy 

Given  a  situation  and  a  sharing  policy,  we  want  to  avoid  to  deduce  that  some  agent  a  is  both 
obligated  and  prohibited  (or  permitted  and  prohibited)  to  send  an  information  to  some  other  agent 
b.  In  such  cases,  it  would  be  impossible  for  a  to  know  what  it  has  to  do.  In  other  words,  a  would 
have  to  face  up  with  a  dilemma.  Therefore,  we  will  classically  define  the  property  of  consistency  for 
a  sharing  policy. 

Let  Dom  be  the  set  of  domain  knowledge,  and  domain  meta-knowledge.  For  instance,  it  in¬ 
cludes  relations  between  topics  concerned  by  information.  Dom  may  for  instance  include  following 
knowledge: 


15-6 


RTO-MP-IST-062 


UNCLASSIFIED/UNLIMITED 


UNCLASSIFIED/UNLIMITED 


Information  Sharing  Policies  for  Coalition  Systems 


(D 1)  Vx  Vy  Vz  type(x,y)  — *  topic  (type  (x,y),y)  A  topic(position((x,  z) ,  y)) 

(Dl)  means  that  if  the  type  of  x  is  y.  then  the  information  “the  type  of  x  is  y”  and  “the  position 
of  x  is  z”  deal  both  with  the  topic  y. 


( D2 )  \/x  Vy  \/z  Va  Vi  Learn(a1  type(x,  y),t )  — >  Learn(a ,  topic(type(x,  y),y),t) A 
Learn(a ,  topic(position(x,  z),  y),t ) 

(D2)  means  that  if  an  agent  a  learns  at  time  t  that  the  type  of  x  is  y,  then  at  the  same  time 
a  learns  that  the  information  “the  type  of  x  is  y”  and  “the  position  of  x  is  zn  deal  both  with  the 
semantic  topic  y. 


(.D3)  Vt  -■  ( Quiet  (t)  A  Crisis (t)) 

(D3)  means  that  a  context  cannot  be  both  quiet  and  a  crisis  context. 


(DA)  Majorlevel(SD ,  CD) 

(D4)  means  that  the  SD  (Top-secret)  habilitation  or  security  level  is  greater  than  the  CD  (Con¬ 
fidential)  habilitation  or  security  level,  in  the  case  of  a  multilevel  application. 

Let  us  also  add  the  following  axioms  about  D-predicates,  as  stipulated  in  2.1: 


(Al)  Mx  -i (Permitted(x )  A  Forbidden(x)) 

(A2)  \/x  Obligatory(x )  — ►  Permitted(x) 

(A3)  Vx  -i( Obligatory(x )  A  Forbidden(x)) 

(Al)  means  that  nothing  cannot  be  both  permitted  and  forbidden.  (.A3)  means  that  nothing 
cannot  be  both  obligatory  and  prohibited  and  (A2)  means  that  anything  which  is  obligatory  has 
also  to  be  permitted.  Notice  that  we  can  deduce  (A3)  from  (Al)  and  (A.2). 

We  can  now  introduce  our  definition  of  consistency  for  a  policy. 

Definition  5.  Let  P  a  sharing  policy,  defined  as  a  set  of  formulas  of  L  (cf.  2.2).  P  is  said  to  be 
consistent  if  and  only  if  there  does  not  exist  any  set  S  of  clauses  without  D-literal  such  that  the 
logical  theory  P  U  {(^41),  (.A2),  (^43)}  USU  Dom  is  inconsistent. 

If  we  are  able  to  find  such  a  set  S,  then  S  is  the  set  of  circumstances  that  can  lead  to  a 
contradiction. 

We  will  next  illustrate  this  definition  through  two  examples. 

Example  3.  Let  P  a  sharing  policy  which  says  that  in  a  crisis  context: 
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—  (R2)  any  agent  x  must  send  to  every  agent  y  every  piece  of  information  dealing  with  the  topic 
AGM  as  soon  as  it  has  learn  it: 

(R2)  Vx  Vi  My  Vt  Vt'  Crisis(t)  A  Learn(x,  i,  t )  A  Learn(x ,  topic(i ,  AGM),t')  — > 
Obligatory  (send(x ,  i,  y,  max  (A  t'))) 

—  ( R3 )  every  agent  is  forbidden  to  send  any  information  dealing  with  the  topic  “Nuclear”  (written 
Nu)  to  anybody: 

(-R3)  Vx  Vi  Vy  Vt  Vt'  Vt"  Crisis{t)  A  Learn(x,i,t )  A  Learn(x,  topic(i,  Nu),t')  A 
f7/  >  max{t,t') A  — >  Forbidden(send(x,i,y,t ")) 

Let  Dom  include  the  rules  (D2)  and  (D 3).  Let  us  now  consider  the  following  scenario: 

—  there  is  a  crisis  context. 

—  on  March  the  30th,  a  learns  the  position  of  an  object  o,  and  learns  that  o  is  a  nuclear  arm. 

—  on  March  the  31st,  a  learns  that  o  is  an  air-ground  missile  (AGM). 

With  P  we  can  deduce  that  from  {D 2),  on  March  the  30th  a  learns  that  the  information  about 
the  position  of  o  is  related  to  the  topic  Nu.  Thus,  from  (i?3),  a  is  forbidden  to  send  the  position 
of  o  from  March  the  30th.  a  is  in  particular  forbidden  to  send  the  position  of  o  to  the  agent  b  on 
March  the  31st. 

However,  as  a  learns  on  March  the  31st  that  o  is  an  air-ground  missile,  from  (D 2),  a  also  learns 
that  the  piece  of  information  about  the  position  of  o  is  related  to  the  topic  AGM.  Then  from  (R2), 
a  is  immediately  obliged  to  send  it  to  b. 

So  on  March  the  31st,  the  agent  a  has  to  face  up  with  a  dilemma:  to  send  or  not  to  send  the 
position  of  o  to  b. 

Let  us  consider  S  =  {Learn(a,  type(o,  Nu),  30),  Learn(a,  typeio,  AGM),  31),  Crisis(30)}.  We  can 
show  that  P  U  {(Al),  (A2),  (A3)}  U5U  Dom  is  inconsistent.  That  means  that  P  is  inconsistent 
according  to  our  previous  definition. 

Example  4 ■  Let  us  consider  P'  composed  of  two  rules: 

—  (R2),  about  diffusion  of  AGM  information  in  context  of  crisis: 

(R2)  Vx  Vi  Vy  Vt  Vt'  Crisis(t)  A  Learn(x,  i,  t )  A  Learn(x,  topic(i,  AGM),t')  —> 
Obligatory (send(x,  i,y ,  max(f,  t'))) 

—  and  (-R4):  in  a  quiet  context,  every  agent  is  forbidden  to  send  any  information  dealing  with  the 
semantic  topic  “Nuclear”  (written  Nu)  to  anybody: 

(-R4)  Vx  Vi  Vy  Vt  Vt'  Quiet(t)  A  Learn(x ,  i,  t )  A  Learn(x,  topic(i,  Nu),t') A 
t"  >  max(t,t/)  — >  Forbidden(send(x,i,y,t")) 

From  (D 3),  we  cannot  be  simultaneously  in  a  quiet  and  crisis  context,  there  is  no  situation  in 
which  an  agent  is  simultaneously  obligated  and  forbidden  to  send  any  information  dealing  both  with 
AGM  and  Nu  topics.  So,  according  to  our  definition,  Pl  is  consistent. 
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4  Completeness  of  an  information  sharing  politics 

Now,  the  intuition  we  want  to  capture  is  that  given  a  sharing  policy  P,  in  any  situation,  P  allows  to 
deduce  if  an  agent  a  is  allowed,  obligated  or  forbidden  to  send  a  particular  information  to  another 
agent  b. 

We  propose  a  first  definition: 

Definition  6.  Let  P  be  a  sharing  policy  defined  on  L.  P  is  said  to  be  complete  if  and  only  if  for 
every  context  c,  every  time  constant  t,  every  couple  of  agents  a  and  b,  and  every  information  i,  the 
following  property  is  true: 

—  P  \=  c  — >  Obligatory(send(a,i,b,t ))  or 

—  P  \=  c  — >  Forbidden(send(a,  i,  b,  t))  or 

—  P  \=  c  — >  Permitted(send(a ,  i,  b,  t)) 

In  fact,  it  is  quite  difficult  to  anticipate  all  possible  cases  while  defining  a  sharing  policy:  our 
first  definition  for  completeness  is  unrealistic.  What  seems  more  realistic  is  to  impose  completeness 
only  for  important  subjects  or  some  topics  or  restrict  completeness  to  a  small  group  of  agents.  For 
instance,  an  agent  should  always  know  what  to  do  with  an  important  information.  Thus,  we  propose 
a  weaker  definition  for  completeness. 

Definition  7.  Let  P  be  a  sharing  policy  defined  on  L.  Let  D(x,i,y,t )  a  formula  of  L  and  C  be  an 
information  representing  a  context.  P  is  said  to  be  complete  for  D  and  C  for  every  couple  of  agent 
x  and  y  if  and  only  if: 

—  P  \=  c  — >  (Vx  Vi  Vy  Vt  D(x,  i,  y,  t)  — >  Obligatory(send(x,  i,  y,  t)))  or 

—  P  |=  c  — >  (Vx  Vi  Vy  Vt  D(x,  i,  y,  t)  — *  Forbidden(send(x,  i,  y,  f)))  or 

—  P  \=  c  — >  (Vx  Vi  Vy  Vt  D(x,  i,  y,  t)  — >  Permitted(send(x,  i,  y,  t))) 

Example  5.  Let  us  resume  example  3.  The  rules  for  policy  are: 


(R2)  Vx  Vi  Vy  Vt  Vt'  crisisfit)  A  Learn(x ,  i,  t)  A  Learn(x ,  topic(i,  AGM),t') 
Obligatory (send(x,  i,  y,  max(t,  t'))) 


(f?4)  Vx  Vi  Vy  Vt  Vt'  Quiet (t )  A  Learn(x ,  i,  t)  A  Learn(x,  topic(i,  Nu),t') A 
t"  >  max(t,t')  — ►  Forbidden(send(x,i,y,t")) 

We  can  show  that  this  policy  is  complete  for  the  following  formula: 


3t  3t'  Learn(x ,  i,  t)  A  Learn(x ,  topic(i,  Nu),t)  A  t"  >  max(t,  t') 

This  means  that  if  an  agent  a  knows  an  information  and  learns  that  this  information  has  IVii  as 
topic,  then  a  knows  what  to  do  regarding  to  sending  the  information  (more  precisely,  a  is  forbidden 
to  send  the  information). 
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5  Conclusion 

In  this  paper  we  have  defined  a  logical  framework  to  express  and  reason  about  information  sharing 
policies  for  coalition.  The  rules  expressed  in  this  policy  depend  on  several  concepts:  deontic  notions, 
such  as  permission  and  obligation,  time,  communication  actions  and  context. 

We  have  proposed  a  definition  for  policy  consistency.  Consistency  allows  a  policy  designer  to 
verify  that  an  agent  cannot  face  a  dilemma  concerning  an  information.  Notice  that  we  can  use  SOL 
deduction  [12]  to  verify  efficiently  this  consistency  and  to  find  the  eventual  counterexamples  (cf. 
also  [9]). 

The  completeness  problem  is  different  and  more  difficult.  The  first  definition  we  proposed  is 
too  restrictive:  in  order  to  obtain  the  completeness  property,  the  designer  of  a  policy  must  know  in 
advance  all  the  possible  cases  for  the  policy.  We  then  proposed  a  restricted  definition  for  completeness 
allowing  to  consider  the  property  only  for  some  topics  for  instance.  The  designer  can  concentrate 
only  on  the  important  domains. 

This  preliminary  work  can  be  extended  in  several  directions. 

First,  we  can  go  deeper  on  the  theoretical  framework  by  proposing  a  more  precise  definition  for 
completeness  for  instance.  Notice  also  that  we  have  not  treated  the  classical  problems  of  deontic 
logic  like  Contrary-to-Duties  [8,6].  This  study  has  to  be  done,  particularly  in  the  coalition  context 
where  regulation  can  be  huge  and  where  such  problems  may  arise.  We  can  also  study  obligations 
with  deadline  which  is  strongly  related  to  our  problem  [5]. 

The  Learn  predicate  semantic  must  also  be  studied.  More  precisely,  the  formal  link  between  an 
agent’s  beliefs  base  updates  (when  the  agent  receives  an  information)  [10]  and  the  norms  application 
(a  permission  or  an  obligation  has  to  be  taken  into  account  at  a  certain  date)  is  an  interesting 
extension  of  this  work.  If  we  consider  that  each  agent  has  a  belief  base  which  can  be  updated  by 
new  information,  the  “triggers”  for  new  regulation  has  to  be  calculated  from  the  difference  between 
the  agent’s  old  beliefs  and  new  beliefs  (only  new  informations  have  to  be  considered). 

Finally,  in  a  coalition,  the  need  for  information  for  an  agent  is  more  constrained  by  the  agent’s 
role  than  the  agent  itself.  Several  agents  can  have  the  same  role  in  the  coalition,  the  role  of  an 
agent  can  change  during  the  coalition  mission  etc.  Thus,  we  have  introduced  in  our  framework  the 
notion  of  role  [4,  7] .  Moreover,  it  can  be  interesting  to  use  the  various  works  on  RBAC  (Role-Based 
Access  Control)  security  policies  [15, 13].  Using  roles,  we  can  express  conditions  on  the  agents’  roles, 
which  is  less  fastidious  than  expressing  conditions  on  agents  (the  roles  in  a  coalition  are  quite  stable, 
whereas  the  agents  can  change  frequently).  Notice  also  that  the  notion  of  role  has  been  used  in  the 
architecture  for  secured  information  sharing  in  dynamic  coalition  presented  in  [14].  In  our  formalism, 
we  have  introduced  roles  through  the  predicates  Playsrole  and  Hsuperior ,  but  this  needs  more  efforts 
to  have  a  complete  representation  of  the  notions  developed  in  the  cited  papers. 
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•  Partage  et  echange  d’informations  dans  une  coalition  :  besoins 

•  Notion  de  politique  de  partage 

•  Concepts  utiles  pour  exprimer  une  politique  de  partage 

•  Un  formalisme  pour  definir  une  politique  de  partage 

•  Proprietes  d’une  politique  de  partage  :  coherence,  completude 

•  Conclusion 
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Partage  et  ©change  d’informations  dans  une  coalition 

Contexte  :  coalitions  et  COP 

But  d’un  COP  (Common  Operational  Picture) 

•  representation  unique  de  la  situation  pour  prise  de  decisions,  a  partir 
d’informations  sur  la  situation  correlees,  fusionnees  puis  enrichies 

Collecte  et  generation  des  informations 

•  hierarchisee, 

•  distribute  par  domaine  de  competence  (air/mer/terre,  meteo,  secteur 
geographique) 

•  Envoi  automatique  (capteurs,  -GPS,  BD...) 

•  Envoi  manuel  (rapports  d’unites,  bd  de  renseignements,  de 
connaissances  tactiques...) 

Probleme  :  comment  controler  la  diffusion,  le  partage  d’information  ? 
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Partage  et  ©change  cTinformations  dans  une  coalition 

Quelques  conditions  de  succes  pour  un  COP 

Comprehension  commune  des  informations  par  tous  les  utilisateurs 

— >  schema  de  donnees  commun  et  admis  de  tous  -  ex:  JC3IEDM 

Confiance  des  utilisateurs  qui  renseignent,  ou  qui  exploitent  le  COP 

Souhait  de  garanties  de  proprietes  sur  les  informations  echangees,  et  sur 
les  modalites  d’echange  des  informations  : 

•  Confidentiality  (raisons  :  nationale,  strategique...),  integrity, 
disponibilite  des  informations  echangees  (pertinence) 

•  Controle  des  recepteurs  d’une  information 

•  Necessity  de  I’accord  du  proprietaire  d’une  information  avant 
diffusion,  etc. 
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Partage  et  ©change  d’informations  dans  une  coalition 

Quelques  conditions  de  succes  pour  un  COP 

II  est  done  souhaitable  que  les  modalites  de  partage/diffusion  de 
■’information  soient : 

•  explicites 

•  connues  et  acceptees  par  tous 

•  conservables  ou  modifiables  en  cas  de  changement  de  partenaire  dans 
la  coalition 

•  «  souples  »  (prise  en  compte  de  la  dynamicite  du  contexte) 

•  analysables  de  maniere  globale  (coherence,  completude...) 
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Notion  de  politique  de  partage 


Politique  de  securite  pour  gerer  les  modalites  de  diffusion  de 

(’information  :  ensemble  de  regies  reglementant  Taction  de  diffusion 

Exemples  de  regies  : 

•  En  cas  d’evenement  terroriste,  toute  nouvelle  information  sur  cet 
evenement  doit  etre  diffusee  au  commandant  de  la  Joint  Task  Force 
dans  I’heure  qui  suit  son  acquisition. 

•  En  cas  de  crise,  obligation  pour  un  agent  du  secteur  Air  de  diffuser  a 
son  chef  toute  information  sur  le  theme  «  Traffic  aerien  »  dans  les  20 
secondes  suivant  son  acquisition 

•  Interdiction  pour  un  agent  de  diffuser  une  information  relative  a  un 
theme  sensible  pour  son  pays,  a  un  agent  d’habilitation  inferieure  a  la 
sienne 
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Notion  de  politique  de  partage 

A  quelles  connaissances  s’applique  une  telle  politique  ? 

A  celles  qu’un  agent  vient  d’apprendre  ? 

Pas  toujours  pertinent 

Si  un  agent  A  vient  d’apprendre  une  connaissance  k  a  t, 

•  BD(A,t<)  =  base  de  connaissances  precedente  de  A 

•  BD(A,  t,  k))  =  base  de  connaissance  de  A  revisee  apres  acquisition  de  k 

•  A  =  BD(A,  t,  k)  -  BD(A,t<) 

S Les  connaissances  qui  ont  change  de  valeur  de  verite 
S Celles  dont  la  valeur  de  verite  est  devenue  indeterminee 

A  :  ensemble  des  informations  susceptibles  d’etre  diffusees, 
a  soumettre  a  la  politique  de  partage 
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Concepts  utiles  pour  exprimer  une  politique  de  partage 

Quelques  exigences 

Contexte  militaire  :  important  d’eviter  la  fuite  d’informations 

— ►  eviter  la  possibility  de  delegation  de  droits  entre  utilisateurs 

Normes  : 

pas  seulement  des  permissions, 

mais  aussi  des  obligations  (et  interdictions) 

— >  Philosophie  :  Compromis  entre  modeles  de  Politiques  de  Securite 
discretionnaire  et  mandataire 
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Concepts  utiles  pour  definir  une  politique  de  partage 


Le  temps 

•  temps  de  validite  d’une  information  (instants,  intervalles), 

•  temps  ou  un  agent  apprend  une  information 

•  temps  ou  il  diffuse  une  information  a  un  autre  agent. 

Pierre  apprend  le  13  juin  que  /< avion  AV-FR355  est  reste  a  Toulouse  du 
10  au  11  juin;  Pierre  le  dit  a  Martin  le  14  juin. 

Les  actions 

apprend(x,i,  t):  I’agent  x  apprend  reformation  i  au  temps  t 
diffuse(x,  i,  y,  t):  I’agent  x  diffuse  reformation  i  a  I’agent  y  au  temps  t 
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Concepts  utiles  pour  exprimer  une  politique  de  partage 


Les  fluents  :  pour  decrire  une  situation 

type(x,y)  type  (AV-FR355,  Rafale) 

allie(x,  y,  t)  allie  (France,  Espagne,  090806) 


Fluents  particulars  : 

theme(i,  th) 


level(x,  I,  t)  (+  treillis  sur  L) 
joue-role(x,  r,  o,  t) 
h-superior(r1,  r2,  o,  t) 


theme 

(position(AV-FR355,  km255,  220906), 

Nucleaire) 

level  (Pierre,  CD,  220906) 
joue-role  (Pierre,  Chief,  Unity4,  220906) 
h-superior  (Commandant,  Lieutenant, 
Unity4,  t) 
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Concepts  utiles  pour  exprimer  une  politique  de  partage 


Les  modalites 

•  obligation(diffuse(x,i,y,t)), 

•  interdiction(diffuse(x,i,y,t)), 

•  permission(diffuse(x,i,y,t)) 

+  axiomes  pour  la  coherence  : 

•  i  (obligation(x)  a  interdiction(x)) 

•  obligation(x)  -a  permission(x) 

Le  contexte 

crise(t)  paix(t)  occurence(e,  Terrorisme,  t).... 


Forme  generale  d’une  regie  :  contexte  -» regie 
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Un  formalisme  pour  definir  une  politique  de  partage 

Moderation  d’une  politique  de  partage 


•  Definition  d’un  langage  logique  du  premier  ordre,  type 

•  Utilisation  de  ce  langage  pour  decrire  des  regies  d’une  politique  de 
partage 

•  Interets  de  ce  langage  : 

S  Puissance  d’expression,  semantique  non  ambigue 
S  Possibilite  de  calcul  automatique  dans  certains  cas 

^  Evaluer  des  proprietes  sur  la  theorie  representant  la  politique 


O  N  E  R  A 


13  Auteur  evenement  date 


Un  formalisme  pour  definir  une  politique  de  partage 

Exemples  de  regies  (1) 


Dans  un  contexte  de  terrorisme, 

tout  observateur  a  I’obligation  de  diffuser  immediatement  a  son  chef  toute 
information  relative  au  theme  cible-terrorisme. 

Ve  Va  Vb  Vi  VoVt  Vt’ 

occurence(e,  Terrorisme, t) 

a  joue-role(a,  Observateur,  o)  a  joue-role(b,  Chef-renseignement,  o) 
a  apprend(a,  i,  t)  a  apprend(a,theme(i,  Cible-terrorisme), t’) 

— ►  obligation(diffuse(a,  i,  b,  t’)) 
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Un  formalisme  pour  definir  une  politique  de  partage 

Exemples  (2) 


En  cas  de  crise,  il  est  interdit  a  quiconque  de  la  coalition  K  de  diffuser 

des  informations  se  rapportant  au  theme  Nucleaire 

aux  agents  de  K  autres  que  le  chef  du  service  de  renseignement. 


Vx  Vy  Vr  Vi  Vt  Vt’  Vt” 

crise(t)  a  apprend(x,  i,  t)  a  apprend(x,  theme(i,  Nucleaire),  t’)  a  t”>  t’ 
a  joue-role(x,  r,  K)  a  ^joue-role(y,  Chef-renseignement,  K) 

— >  interdiction(diffuse(x,  i,  y,  t”)) 
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Proprietes  des  politiques  de  partage  :  Coherence 


(Cl) :  -|  (obligation(x)  a  interdiction(x)) 

(C2) :  -|  (permission(x)  a  interdiction(x)) 

Dom  :  ensemble  de  formules  qui  modelisent  les  contraintes  du  domaine 
Exemples  :  -j  (crise(t)  a  paix(t)) 

1  (occurence(e,  Terrorisme,  t)  a  paix(t)) 
regies  d’inferences  de  themes  sur  les  informations...) 


Definition 

Une  politique  P  est  coherente  ssi  il  n’existe  pas  d’ensemble  S  (Situation)  de 
clauses  ecrites  sans  litteral  deontique,  tel  que 

P  u  (Cl)  U  (C2)  u  Dom  u  S  soit  inconsistant 
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Proprietes  des  politiques  de  partage  :  Coherence 

Exemple 


(R1 )  VxViVtVt’ 

crise(t)  a  apprend(x,i,t )  a  apprend(x,  theme(i,  Cible-terrorisme),  t’) 

— >  Obligation(diffuse(x,  Martin,  t’+1)) 

(R2)  Vx  Vy  Vi  Vt  Vt’  Vt” 

crise(t)  a  apprend(x,i,t )  a  apprend(x,  theme(i,  Nucleaire),  t’)  a  t”>t’ 

— >  lnterdiction(diffuse(x,  i,  y,  t”)) 

Une  politique  contenant  ces  deux  regies  est  incoherente. 


Exemple  de  situation  S  :  dilemme  le  31  mars 

•  On  est  en  contexte  de  crise  le  30  mars. 

•  Le  30  mars,  Pierre  apprend  une  information  qui  concerne  le  theme 
Nucleaire; 

•  Le  31  mars,  Pierre  apprend  qu’elle  concerne  le  theme  Cible-tejrgrSmeE-^ 
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Proprietes  des  politiques  de  partage  :  Completude 


lere  definition  : 

Une  politique  P  est  complete  ssi  pour  tout  contexte  c,  pour  tout  instant  t,  pour 
toute  information  i  et  pour  tout  couple  d’agents  x  et  y,  on  a 

P  |=  c  — >  obligation(diffuse(x,i,y,t))  ou 

P  |=  c  — >  interdiction(diffuse(x,i,y,t))  ou 

P  |=  c  — >  permission(diffuse(x,i,y,t)) 


Definition  tres  restrictive  !  Car  elle  suppose  que,  des  la  creation  de  la  politique, 
il  faut  prevoir  tous  les  cas. 


3 

O 

+■> 
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Proprieties  des  politiques  de  partage  :  Completude 


2de  definition  : 

Soient  D(x,i,y,t)  une  formule,  c  un  contexte. 

Une  politique  P  est  complete  pour  la  formule  D  et  le  contexte  c  ssi  on  a 

P  [=  c  — >  (Vx  Vy  Vi  Vt  D(x,  i,  y,  t)  — >  obligation(diffuse(x,i,y,t)))  ou 

P  |=  c  — >  (Vx  Vy  Vi  Vt  D(x,  i,  y,  t)  — >  interdiction(diffuse(x,i,y,t)))  ou 

P  |=  c  — >  (Vx  Vy  Vi  Vt  D(x,  i,  y,  t)  — >  permission(diffuse(x,i,y,t))) 

(D,  c) :  champ  de  la  completude 

(exemple  :  conditions  sur  un  type  d’information  ,  sur  un  agent...) 
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Proprietes  des  politiques  de  partage  :  Completude 

Exemple 


(R1 )  VxViVtVt’ 

crise(t)  a  apprend(x,i,t )  a  apprend(x,  theme(i,  Cible-terrorisme),  t’) 
— >  obligation(diffuse(x,  i,  Martin,  t’+1)) 

(R3)  Vx  Vy  Vi  Vt  Vt’  Vt” 

paix(t)  a  apprend(x,i,t )  a  apprend(x,  theme(i,  Nucleaire),  t’)  a  t”>t’ 
— >  interdiction(diffuse(x,  i,  y,  t”)) 


Exemple  :  politique  complete  pour  le  champ  (D,  c)  ou 

D  =  agents  ayant  appris  des  informations  concernant  le  theme  Nucleaire 
c  =  contexte  de  paix 


3 
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Conclusions 


Contributions: 

Moderation  et  formalisation  de  politique  de  partage 

Definition  de  deux  proprietes  importantes  sur  les  politiques  de  partage 

Extensions  en  cours  ou  futures  : 

Algorithmes  d’  evaluation  de  la  coherence  et  de  la  completude  d’une  politique 
Concept  de  role  (reference  a  un  modele  d’organisation  de  la  coalition) 
Semantique  du  «  apprend  » 

Etendre  Taction  de  diffusion  a  des  actes  de  langage  (interroger,  repondre...) 

Informations  non  atomiques 

Mise  a  jour  d’une  politique  de  partage 
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